At 21:11 19-04-05 Tuesday, you wrote:
>After installing the update in Microsoft Security Bulletin MS05-019 on
>two servers at a customer site, we are no longer able to connect via VPN
>to terminal services on those servers. (Other servers that did not have
>the security bulletins from last Tuesday installed can connect via VPN.)
>
>After many hours over two days working with Microsoft Product Support
>Services, we discovered that forcing the MTU size down allowed the
>client to connect to terminal services. Today Microsoft PSS reported
>the they have confirmed that there is a problem with ICMP messages being
>incorrectly discarded (other have opened PSS cases about this issue).
>This could be why the MTU size is not being set correctly.
>
>There will be an update to the patch in MS05-019, but as of this time,
>that update is not available. A Microsoft KB article is being written
>and has been assigned the number KB898060, but as to this time, that
>article is not publicly available.
>
>I will be uninstalling the update for Security Bulletin MS05-019 from
>our customers servers this evening and waiting for the corrected patch
>before reinstalling it.

I don't believe this affects all systems. Our 2000 SP4 PPTP server
is not bothered by the problem described above and today I rebuilt a
Win2k SP4 VPN (MS PPTP) server for a customer when the old system's
HD died. Both boxes are fully patched with all Windows Updates and
HFNetChk 4.3 confirms there are no missing patches and PPTP works
great for the 15 or so VPN clients the customer has and they all hit
either a 2000 TS or their own XP Pro SP2 desktops inside their VPN
connection. Our customer is using a Cisco 3640 with IPFW installed
and the router is in NAT mode behind a T1 and we use a Cisco PIX on a
static IP ADSL connection. Both Cisco devices are setup to NAT the
PPTP traffic to the 2000 SP4 servers. This poster didn't state if
his box was 2000 or 2003, but on 2000 SP4 the problem he describes is
not evident on our systems.

--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--

Relevant Pages

Re: Site to Site VPN 2 SBS servers... site to site VPN....Microsoft CSS Online Newsgroup Support... This newsgroup only focuses on SBS technical issues. ... | Subject: Re: Site to Site VPN 2 SBS servers...(microsoft.public.windows.server.sbs)

Re: MS05-019 Breaks VPN...Microsoft changed the default behavior of IPSec ... That means that any Microsoft L2TP/IPSec VPN... >VPN to terminal services on those servers.... SP4 VPN server for a customer when the old system's HD died. ...(NT-Bugtraq)

Re: Home DSL Connections Hijacked for Porn... You are the customer.... The service is exactly what the provider sets forth. ... of doing business (tariff imposed by one of two parties to a business ... Cut down the number of unauthorized servers and you ...(comp.security.firewalls)

Re: Obscure license issue question... and use alternate port forwarding for SQL replication into ... We don't care about mail servers etc as the customer ...SBS licensing don't allow you to ... >> A customer of mine has an SBS machine in his head office. ...(microsoft.public.backoffice.smallbiz2000)

Re: [Info-ingres] Re: Maintenance support... have two database servers and 6 application servers fronted by a ... At another customer, ... The "cpu power" price model is devastating for our pricing models ... And we rely on the database vendor support FIFTY ...(comp.databases.ingres)